Most recent updates:

• 12-14-2021 (8:00 PM EST) – Minor corrections within the Security Bulletin page, along with a "next update expected" announcement
• 12-14-2021 (3:00 PM EST) – Updates within the Security Bulletin page, including information on related vulnerabilities, links to instructions for SAS® Viya® 3.4 and SAS® Viya® 3.5, and evaluations and recommendations for SAS platforms, cloud solutions, and products

Next update expected: 12-15-2021 (by 1:00 PM EST).

Read the full updated bulletin.

Most recent updates:

• 12-15-2021 (1:00 PM EST) - Additional information about Memex® products, where to obtain updated signatures, and how to subscribe to bulletin updates 

Next update expected: 12-15-2021 (by 9:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-15-2021 (11:00 PM EST) - Vulnerability scan guidance; additional guidance for SAS® 9.4; links to instructions for SAS® 9.4 and SAS® Viya® 2020.1 and later; update for IDeaS® products; update on remediation status for SAS® Customer Intelligence 360; evaluations and recommendations for SAS® Fraud Management and SAS® Business Orchestration Services

Next update expected: 12-16-2021 (approximately 1:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-16-2021 (7:00 AM EST) - Update on Memex® products

Next update expected: 12-16-2021 (approximately 1:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-16-2021 (6:00 PM EST) - Assessment of unauthenticated remote code execution (RCE) exploits (not possible), update on Memex® products and SAS® Customer Intelligence 360, evaluations and recommendations for SAS® Viya® 2021.x deployments with Open Distro for Elasticsearch, SAS® Adaptive Learning and Intelligent Agent System, SAS® Anti-Money Laundering, SAS® Customer Due Diligence, SAS® Identity 360, SAS® Real-Time Screening, and SAS® Visual Investigator  

Next update expected: 12-17-2021 (approximately 6:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-17-2021 (10:00 PM EST) - Mitigation and remediation steps for SAS software, including upcoming repository scan-fix tool; instructions for SAS® Viya® 3.3; additional guidance for SAS® Cloud Solutions; solution guidance that aligns with dependent SAS products; updated information for SAS® Anti-Money Laundering, SAS® Customer Due Diligence, and SAS® Fraud Management; evaluations and recommendations for SAS® Analytics for IoT, SAS® Asset Performance Analytics, SAS® Energy Forecasting, SAS® Event Stream Processing, SAS® Field Quality Analytics, SAS® Production Quality Analytics, SASPy Python Interface to MVA SAS, SAS® Quality Analytic Suite, and SAS® Risk Management Solutions on both the 9.4 and SAS Viya platforms

Next update expected: 12-20-2021 (approximately 6:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-20-2021 (6:00PM) – Reformatting of bulletin page, addition of CVE-2021-45105 to the related vulnerabilities, revised versioning information for the upcoming scan-fix tool, addition of z/OS within the platform-level instructions for SAS® 9.4, detailed evaluations and recommendations for SAS® Adaptive Learning and Intelligent Agent System (version 10.5.1), SAS® Intelligence and Investigation Management, SAS® Life Science Analytics Framework, and SAS® Visual Investigator (versions 10.5 and 10.5.1)

Next update expected: 12-21-2021 (approximately 6:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-21-2021 (6:00 PM EST) - Clarification of guidance for unauthenticated versus authenticated remote code execution; updated evaluations and recommendations for SAS® Platforms and SAS® Cloud Solutions; in the SAS® 9.4 instructions, added SAS Software depot to the list of directories to search; evaluation of SAS® 9.3 and SAS® 9.2; detailed evaluations and recommendations for SAS® Cost and Profitability Management, SAS® Demand Planning, SAS® Demand Signal Repository, SAS® Financial Management, SAS® Financial Planning and Assortment Planning, SAS® Forecast Analyst Workbench, SAS® Intelligence and Investigation Management (versions 1.2-1.4), SAS® Intelligent Planning, SAS® Inventory Optimization, SAS® Inventory Optimization Workbench, SAS® IT Resource Management, SAS® IT Resource Management for SAP, SAS® Markdown Optimization, SAS® Merchandise Allocation, SAS® Merchandise Planning, SAS® Pack Optimization, SAS® Profitability Management, SAS® Promotion Optimization, SAS® Regular Price Optimization, SAS® Size Optimization, SAS® Size Profiling, and SAS® Visual Investigator (version 10.4)

Next update expected: 12-22-2021 (approximately 6:00 PM EST)

Read the full updated bulletin.

Most recent updates:

• 12-22-2021 (9:00 PM EST) - Automated approach to remediation on SAS® 9.4 (Loguccino), removal of JndiLookup class on server vs client machines, detailed evaluations and recommendations for SAS® API for ThreatMetrix Offerings, SAS® Campaign Management, SAS® Clinical Trial Data Transparency, SAS® Continuous Monitoring Offerings, SAS® Customer Intelligence 360 Discover, SAS® Customer Intelligence 360 Engage: Digital, SAS® Customer Intelligence 360 Engage: Direct, SAS® Customer Intelligence 360 Engage: Email, SAS® Customer Intelligence 360 Engage: Optimize, SAS® Customer Intelligence 360 Match, SAS® Customer Intelligence 360 Plan, SAS® Detection and Investigation Offerings, SAS® Financial Crimes Analytics (on SAS® Viya®), SAS® Life Science Analytics Framework 5.4, SAS® Life Science Analytics Framework APIs and Extensions, SAS® Marketing Automation, SAS® Marketing Optimization, SAS® Orchestration Adapters, and SAS® Real-Time Decision Manager 

Next update expected: 12-23-2021 (approximately 6:00 PM EST)

Read the full updated bulletin.

Today's bulletin update for the Remote Code Execution Vulnerability (CVE-2021-44228) is delayed until tomorrow morning, due to substantial changes that are being finalized. Instead, there will be a significant update to the guidance in the bulletin tomorrow, 12-24-2021 at 12:00 PM EST.

Most recent updates:

• 12-24-2021 (12:00 PM EST) - Automated approach to remediation on SAS® Viya® 3.x (loguccino) with corresponding adjustments in guidance and instructions; plans for updating to Log4j 2.17; detailed evaluations and recommendations for SAS® Analytics Accelerator for Teradata, SAS® Data Management Studio and Server, SAS® Data Quality Accelerators, SAS® Grid Manager, SAS® In-Database Technologies, SAS® Scoring Accelerators, SAS® Visual Analytics, and SAS® Visual Analytics Apps

Read the full updated bulletin.

Most recent update:

• 12-28-2021 (5:30 PM EST) - Addition of related vulnerability, CVE-2021-44832

Read the full updated bulletin.

Most recent update:

• 1-3-2022 (5:30 PM EST) – Updated guidance for SAS® 9.4; detailed evaluations and recommendations for SAS® Add-in for Microsoft Office and SAS® Enterprise Guide® 

Most recent update:

• 1-4-2022 (6:00 PM EST) - Mapping of mitigation and remediation measures to specific Log4j CVEs; plans for delivery of Log4j versions 2.17.1+; detailed evaluation and recommendation for SAS® 9 Content Assessment

Read the full updated bulletin.